Monday, June 19, 2017

Executive Summary

The Foscam C1 is a webcam that is marketed for use in a variety of applications including home security monitoring. As an indoor webcam, it is designed to be set up inside of a building and features the ability to be accessed remotely via a web interface or from within a mobile application. Talos recently identified several vulnerabilities in the Foscam C1 camera that could be used by attackers for a variety of purposes including access and retrieval of sensitive information stored on the camera, execution of arbitrary commands within the camera's operating system, and in several cases, completely compromise the device. As these cameras are commonly deployed in sensitive locations and used as baby monitors, security cameras, etc. it is recommended that affected devices be updated as quickly as possible to ensure that they are no longer vulnerable.

In accordance with our responsible disclosure policy, Talos has worked with Foscam to resolve these issues, which has resulted in the release of a firmware update addressing them.

Vulnerability Details

Talos recently discovered that Foscam C1 Indoor HD Cameras contain undocumented, hardcoded FTP credentials that could allow an attacker the ability to remotely login to affected devices and gain full read and write access to the Micro-SD card mounted within the device. This access could be used to obtain sensitive information such as audio and video recordings, images, and other data stored on the Micro-SD card. This vulnerability, TALOS-2016-0245 has been assigned CVE-2016-8731. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a stack based buffer overflow in the "CGIProxy.fcgi" service of the web management interface. An attacker could use a specially crafted HTTP request to trigger this overflow condition. This vulnerability could be leveraged by an attacker to achieve code execution on vulnerable devices. This vulnerability, TALOS-2017-0299 has been assigned CVE-2017-2805. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service of the web management interface. An attacker could insert arbitrary characters into the "addAccount" command via either the "usrName" or "usrPwd" parameters, resulting in execution of arbitrary OS commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. This vulnerability, TALOS-2017-0328 has been assigned CVE-2017-2827. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service of the web management interface. An attacker could insert arbitrary characters into the "changePassword" command during the account password change process, resulting in execution of arbitrary OS commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. TALOS-2017-0329 has been assigned CVE-2017-2828. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a directory traversal vulnerability present in the "CGIProxy.fcgi" service of the web management interface. This vulnerability could allow an attacker to retrieve arbitrary files from the camera using an HTTP request. This could result in the disclosure of sensitive information. This vulnerability is due to a failure to adequately sanitize user input and could allow an attacker to traverse outside of the intended directory structure of the web interface. TALOS-2017-0330 has been assigned CVE-2017-2829. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a buffer overflow vulnerability present in the "CGIProxy.fcgi" service of the web management interface. Exploitation of this vulnerability could result in the execution of arbitrary code on affected devices. An attacker could trigger this vulnerability using a specially crafted HTTP request to overwrite the buffer on the stack and ultimately obtain control over code execution flow within the device. This vulnerability is due to a failure of the device to perform proper bounds checking on input received from users. TALOS-2017-0331 has been assigned CVE-2017-2830. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a buffer overflow vulnerability present in the "FCGX_Init" function within the "CGIProxy.fcgi" service of the web management interface. An attacker could leverage this vulnerability to obtain remote code execution on affected devices. This vulnerability could be triggered using a specially crafted HTTP request and allow an attacker to overwrite the buffer or obtain control over code execution flow within affected devices. TALOS-2017-0332 has been assigned CVE-2017-2831. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present within the "webService" application that is launched by the device during the bootup process. An attacker could leverage this vulnerability to execute operating system commands on the device during device startup. This vulnerability can be exploited using any command that allows for changing an account password (e.g. changePassword). During startup the FTP service is configured using shell commands without sanitizing the password parameter, resulting in execution of the attacker supplied commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. The injected command would then be executed once the device reboots. TALOS-2017-0334 has been assigned CVE-2017-2833. For additional information, please see the advisory here.

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands during the Account Deletion process within the web interface. An attacker could exploit this vulnerability using a specially crafted HTTP request. The vulnerability is triggered when the "delAccount" command is invoked. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. TALOS-2017-0335 has been assigned CVE-2017-2832. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test Host" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0343 has been assigned CVE-2017-2841. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test User" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0344 has been assigned CVE-2017-2842. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test Password" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0345 has been assigned CVE-2017-2843. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test Sender" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0346 has been assigned CVE-2017-3844. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands during the SMTP configuration testing process. This vulnerability can be reached by invoking the "smtpTest" command and injecting attacker specified operating system commands. A specially crafted HTTP request can be used to exploit this vulnerability. This vulnerability requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0347 has been assigned CVE-2017-2845. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the "setIpInfo" command and injecting commands into the "Gateway Address" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0348 has been assigned CVE-2017-2846. For additional information, please see the advisory here.Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability (TALOS-2017-0349 / CVE-2017-2847)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the "setIpInfo" command and injecting commands into the "DNS1" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0349 has been assigned CVE-2017-2847. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the "setIpInfo" command and injecting commands into the "DNS2" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0350 has been assigned CVE-2017-2848. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with NTP server address configuration. This vulnerability can be reached by invoking the "setSystemTime" command and injecting commands into the "ntpServer" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0351 has been assigned CVE-2017-2849. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to an injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "pureftpd.passwd" configuration file on the device during a username change operation, enabling the attacker to break out of the chroot environment associated with the FTP service on the device. This vulnerability could be used to escalate privileges on affected devices. This vulnerability is reachable by invoking the "changeUserName" command and requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0352 has been assigned CVE-2017-2850. For additional information, please see the advisory here.

Foscam C1 Indoor HD Cameras are vulnerable to a stack based buffer overflow vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability can be exploited using a specially crafted HTTP request during the WiFi configuration on the device. This vulnerability could allow an attacker to overwrite the buffer and potentially lead to remote code execution on affected devices. This vulnerability is reachable by invoking the "setWifiSetting" command. Exploitation of this vulnerability requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0353 has been assigned CVE-2017-2851. For additional information, please see the advisory here.

Versions Tested

Talos has tested and confirmed that the following Foscam firmware versions are affected:

Conclusion

One of the most commonly deployed IP cameras is the Foscam C1. In many cases these devices may be deployed in sensitive locations. They are marketed for use in security monitoring and many use these devices to monitor their homes, children, and pets remotely. As such, it is highly recommended that the firmware running on these devices be kept up-to-date to ensure the integrity of the devices, as well as the confidentiality of the information and environments that they are monitoring. Foscam has released a firmware update, version V-2.x.2.43 to resolve these issues. Users of the affected devices should update to this new version as quickly as is operationally feasible to ensure that their devices are not vulnerable.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.